How to Investigate a Suspicious Mailbox in Exchange Online (Complete Incident Response Guide)
A compromised mailbox is one of the most common security incidents Microsoft 365 administrators face. Whether the attacker obtained a user’s password through phishing, stole an authentication token, or exploited a malicious OAuth application, the mailbox often becomes the first target. Once inside, attackers rarely stop at reading emails—they frequently create forwarding rules, delete evidence, monitor conversations, and use the mailbox to launch Business Email Compromise (BEC) attacks against customers and colleagues.
The challenge is that these attacks are not always obvious. In many cases, users only notice something is wrong days or even weeks later. A missing email, an unexpected reply from a customer, or a security alert from Microsoft Defender may be the first indication that someone else has been accessing the mailbox.
Knowing how to investigate suspicious mailbox activity quickly and methodically is essential for minimizing damage. Rather than checking random settings, administrators should follow a structured investigation process that combines information from Microsoft Entra ID, Exchange Online, Microsoft Purview, and Microsoft Defender for Office 365.
This guide walks through that process step by step.
Recognizing the Signs of a Compromised Mailbox
Every investigation begins with identifying why the mailbox is considered suspicious in the first place. While some compromises trigger automated alerts, many are discovered through unusual user reports.
Common indicators include:
- Emails appearing in the Sent Items folder that the user never sent.
- Important emails disappearing from the Inbox without explanation.
- Customers reporting strange replies or unexpected payment requests.
- Unexpected forwarding rules sending copies of emails to external addresses.
- Successful sign-ins from countries where the user has never traveled.
- Multiple failed sign-in attempts followed by a successful login.
- Unexpected mailbox delegates or permissions.
- Security alerts generated by Microsoft Defender for Office 365.
- Suspicious OAuth consent requests.
- Users reporting MFA prompts they did not initiate.
One indicator alone does not necessarily confirm a compromise. However, several indicators occurring together should immediately trigger an investigation.
Step 1 – Contain the Incident First
Many administrators immediately begin reviewing audit logs while the attacker still has access to the mailbox. This is a common mistake.
Before performing a detailed investigation, reduce the attacker’s ability to continue using the compromised account.
Typical containment actions include:
- Reset the user’s password.
- Revoke all active refresh tokens.
- Force reauthentication.
- Verify Multi-Factor Authentication is enabled.
- Temporarily block sign-in if necessary.
- Remove suspicious sessions.
In Microsoft Entra Admin Center, administrators can revoke all active sessions for the user. This forces every authenticated session—including mobile devices and browsers—to obtain a new authentication token.
If token theft is suspected, revoking sessions should be one of the very first actions.
Step 2 – Review Microsoft Entra Sign-in Logs
After the account has been contained, begin examining authentication activity.
Microsoft Entra sign-in logs often reveal how the attacker gained access.
Focus on questions such as:
- Did the attacker authenticate successfully?
- From which country?
- Which IP address was used?
- Was MFA successfully completed?
- Which application was used?
- Which authentication method was used?
- Was Conditional Access applied?
When reviewing sign-ins, administrators often focus only on failed logins. In reality, successful sign-ins usually provide much more valuable information.
Pay particular attention to:
Impossible Travel
If the user signs in from London at 9:00 AM and another successful sign-in appears from Brazil fifteen minutes later, this should immediately raise suspicion.
Although VPN usage can occasionally explain these events, impossible travel detections frequently indicate stolen credentials or stolen session tokens.
Authentication Method
Review whether authentication occurred through:
- Password only
- Password + MFA
- Passkey
- Windows Hello for Business
- OAuth refresh token
- Legacy Authentication
Legacy authentication is particularly dangerous because it bypasses many modern security controls.
If successful authentication occurs through IMAP, POP3, or SMTP AUTH when these protocols are not expected, investigate immediately.
Step 3 – Examine Mailbox Audit Logs
Authentication tells you who accessed the mailbox.
Mailbox auditing tells you what they actually did.
Exchange Online enables mailbox auditing by default, making it one of the most valuable forensic resources during an investigation.
Useful activities include:
- MailItemsAccessed
- HardDelete
- SoftDelete
- MoveToDeletedItems
- SendAs
- SendOnBehalf
- UpdateInboxRules
- CreateInboxRule
- FolderBind
- MailboxLogin
One event deserves particular attention:
MailItemsAccessed
This audit event records when emails are actually accessed.
If a user claims confidential emails were stolen, this event may help determine exactly which messages were viewed by the attacker.
Unlike message trace, mailbox auditing focuses on user interaction rather than message transport.
For organizations handling sensitive information, MailItemsAccessed events are often crucial during forensic investigations.
Step 4 – Investigate Inbox Rules
One of the oldest—and still most effective—techniques used by attackers is creating hidden inbox rules.
Rather than stealing passwords repeatedly, attackers simply allow the mailbox to continue receiving emails while automatically forwarding, hiding, or deleting messages.
Common malicious rules include:
- Delete messages containing “invoice”
- Move emails from the finance department
- Forward every incoming email externally
- Mark important emails as read
- Hide MFA verification emails
These rules allow attackers to remain undetected for weeks.
Administrators should review every inbox rule, especially those:
- Created recently
- Forwarding messages externally
- Moving emails to RSS Feeds
- Moving emails into hidden folders
- Deleting messages automatically
PowerShell provides a quick way to review mailbox rules:
Get-InboxRule -Mailbox user@contoso.com
Do not assume every forwarding rule is malicious. Some users legitimately create automatic filing rules. Instead, focus on rules that match the timeline of the incident or interact with sensitive communications.
Step 5 – Check Mailbox Forwarding
Inbox rules are only one method attackers use.
Exchange Online also supports mailbox-level forwarding configured by administrators or through Exchange settings.
Unlike inbox rules, mailbox forwarding occurs before messages even reach the user’s Inbox.
Review:
- SMTP forwarding
- ForwardingAddress
- ForwardingSMTPAddress
- Remote domains
- Transport rules
PowerShell:
Get-Mailbox user@contoso.com | Format-List Forwarding*
Any unexpected external forwarding address should be investigated immediately.
Attackers frequently configure forwarding to free email providers so they continue receiving sensitive communications even after losing access to the compromised account.
Step 6 – Review Sent Items Carefully
Many investigations focus exclusively on incoming mail.
Experienced investigators know the Sent Items folder often tells a more complete story.
Look for:
- Messages sent during unusual hours.
- Emails written in a different tone.
- Replies containing payment instructions.
- New external recipients.
- Large numbers of outbound messages.
- Automatic replies the user did not configure.
If Microsoft Defender for Office 365 is deployed, correlate these findings with Threat Explorer to determine whether any suspicious outbound emails were detected or blocked.
Step 7 – Use Message Trace to Reconstruct the Timeline
Once mailbox activity has been reviewed, the next step is understanding how email moved through Exchange Online.
Message Trace helps answer questions such as:
- Was a suspicious email actually delivered?
- Was it quarantined?
- Did transport rules modify it?
- Was it rejected because of SPF, DKIM, or DMARC?
- Which connector processed the message?
- How long did delivery take?
Unlike mailbox audit logs, Message Trace focuses on the transport pipeline rather than user activity. Using both sources together allows administrators to build a much more accurate timeline of the incident.
Why Message Trace is critical in mailbox investigations
In real-world incidents, mailbox compromise is rarely just about access. It is often about email flow manipulation.
Attackers may:
- Send phishing emails that bypass initial spam filtering
- Use compromised accounts to send internally trusted messages
- Exploit transport rules to silently modify or redirect mail
- Trigger delayed delivery patterns to avoid detection windows
- Abuse trusted connectors in hybrid or third-party integrations
Message Trace helps you reconstruct not just what was received, but what should have been received and what happened in between.
This is especially important in cases of Business Email Compromise (BEC), where timing and delivery paths often reveal the attacker’s behavior.
Where to run Message Trace
You can access Message Trace from:
- Exchange Admin Center (EAC) → Mail flow → Message trace
- Or via PowerShell for deeper investigation
Basic PowerShell example:
Get-MessageTrace -SenderAddress user@contoso.com -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date)
For detailed analysis:
Get-MessageTraceDetail -MessageTraceId <ID> -RecipientAddress user@contoso.com
The detailed trace output gives you step-by-step events such as:
- Submitted
- Received
- Delivered
- Failed
- Quarantined
- Redirected
- Expanded (distribution groups)
- Transport rule applied
How to interpret Message Trace results
When analyzing a compromised mailbox, do not just look at “Delivered” or “Failed” status.
Instead, focus on the message journey:
1. Delivery path anomalies
If a message was:
- Delivered unusually fast or slow
- Routed through unexpected connectors
- Modified by transport rules
this may indicate either misconfiguration or malicious activity.
2. Transport rule interference
One of the most important indicators in Message Trace is transport rule application.
Attackers (or misconfigured admins) may create rules that:
- Append text to emails (e.g., “URGENT PAYMENT REQUIRED”)
- Redirect emails externally
- Bypass spam filtering
- Hide warnings from external senders
If Message Trace shows rule application on suspicious messages, you should immediately cross-check:
Get-TransportRule
3. SPF, DKIM, and DMARC failures
Message Trace also helps you identify authentication failures at the email level.
- SPF failures often indicate spoofed sending sources
- DKIM failures may indicate message tampering
- DMARC policy actions (quarantine/reject) show enforcement behavior
In compromised mailbox scenarios, attackers often use internal trust to bypass these controls entirely, so a mix of passed internal mail + failed external mail can be a strong indicator of abuse.
4. Quarantine and Defender actions
If Microsoft Defender for Office 365 is enabled, Message Trace will show whether messages were:
- Quarantined
- Blocked as malware/phishing
- Released by users or admins
- Held for ZAP (Zero-hour Auto Purge)
This helps determine whether the attack was partially contained automatically before reaching users.
Building the incident timeline
The real power of Message Trace comes when you combine it with:
- Entra ID Sign-in logs (who accessed the mailbox)
- Mailbox audit logs (what they did inside)
- Inbox rules (how messages were manipulated)
- Defender alerts (what was detected automatically)
Together, these allow you to reconstruct a full timeline:
- Initial sign-in from suspicious location
- Successful authentication via stolen token or password
- Inbox rule creation or modification
- Outbound phishing emails sent
- Message delivery or quarantine events
- Defender detection or user report
- Containment actions applied
This timeline is often the difference between a simple password reset incident and a full Business Email Compromise investigation.
Key takeaway
Message Trace is not just a delivery tool—it is a forensic timeline engine for Exchange Online.
When used correctly, it answers the most important question in any mailbox investigation:
“What actually happened to this email, and why?”
If you suspect a mailbox compromise or unusual email activity in your Microsoft 365 tenant, we can help.
We offer a free Microsoft 365 email security assessment to quickly identify risks, misconfigurations, and potential threats across Exchange Online and Entra ID.
Contact TFORTECH to request your assessment.
resources:
